what are Microsoft security recommendation for Microsoft Entra

Richa Kumari 286 Reputation points
2024-04-16T16:14:14.66+00:00

hello,

We are setting up a Microsoft Enterprise tenant; what basic recommendations can we make to make it more secure?
Like we know, we like to implement MFA,CA ,PIM ,Audit log anything apart for this specially from IAM side security.

Thanks
Richa

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,727 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
338 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,537 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 10,845 Reputation points MVP
    2024-04-16T16:50:52.1166667+00:00
    1. Role-Based Access Control (RBAC): Implement RBAC to control access to Azure resources based on the principle of least privilege. Assign roles with appropriate permissions to users and groups to limit access to only what is necessary for their job responsibilities.
    2. Identity Protection: Enable Entra ID Identity Protection to detect and mitigate identity-based risks and threats in real-time. Configure risk-based policies to enforce actions such as blocking or requiring MFA based on risk levels.
    3. Privileged Identity Management (PIM): Utilize Entra ID Privileged Identity Management to manage, control, and monitor access to privileged roles in Entra ID, Azure, and other Microsoft Online Services. Enforce just-in-time access, approval workflows, and auditing for elevated privileges.
    4. Password Policies: Enforce strong password policies, including complexity requirements, expiration, and account lockout settings. Consider implementing Entra ID Password Protection to prevent users from using weak or commonly used passwords.
    5. Conditional Access Policies: Create Conditional Access policies to enforce access controls based on various conditions such as user location, device compliance, risk level, or application sensitivity. Apply policies to specific user groups or applications to tailor access controls.
    6. Identity Governance: Implement identity governance processes to manage the lifecycle of user identities, including provisioning, deprovisioning, and access reviews. Use Entra ID Entitlement Management to automate access reviews and streamline access request workflows.
    7. Monitoring and Logging: Enable Entra ID audit logging to track changes to user accounts, group memberships, and administrative activities. Integrate Entra ID logs with Azure Monitor or third-party SIEM solutions for centralized monitoring and analysis of security events.
    8. Secure Authentication Methods: Encourage the use of modern authentication methods such as Entra ID Seamless Single Sign-On (SSO) or passwordless authentication options (e.g., Windows Hello for Business, FIDO2 security keys) to enhance security and user experience.
    9. Regular Security Assessments: Conduct regular security assessments and reviews of Entra ID configurations, policies, and access controls to identify and remediate security gaps or misconfigurations.

     

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Navya 4,000 Reputation points Microsoft Vendor
    2024-04-17T09:39:12.14+00:00

    Hi @Richa Kumari

    Thank you for posting this in Microsoft Q&A.

    I understand that you are asking for basic recommendations to make their Microsoft Enterprise tenant more secure.

    Minimize MFA prompts from known devices: This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

    Protect all users with a user risk policy: With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level.

    Convert per-user MFA to Conditional Access MFA: This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts.

    Renew expiring service principal credentials: Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.

    You can find these recommendations that are in general availability on the Microsoft Entra recommendations portal by looking for “Generally Available” under the column titled “Release Type” as shown below. 

    For more information on these recommendations, please refer to this document: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/overview-recommendations#recommendation-availability-and-license-requirements

    https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-new-and-upcoming-entra-recommendations-to-enhance/ba-p/3796390

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.